The news was first leaked late Friday from the WSJ that “hackers have repeatedly penetrated the computer network of the company that runs the Nasdaq Stock Market during the past year.” That forced the Nasdaq to issue this statement that Nasdaq’s Director Desk – a provider of board portal services to 300 companies – may have been compromised for over a year! Here’s more information from the NY Times and Dominic Jones’ IR Web Report.

Even though security breaches are a mainstay of modern life (check out the half a billion record breaches listed on this page), this could set back the board extranet movement a decade. And for good reason. Security is paramount when it comes to sensitive board materials. I can’t imagine companies not rethinking their posting of board materials online if their safety is at all in question.

I just can’t understand how the federal authorities have the ability to tell a service provider to not inform its clients that there has been a breach! Or why? What is the harm in Directors Desk telling its clients that there has been a breach so they can immediately protect their sensitive information? Even if the hacker was state-sponsored – as intimated by Jeffrey Carr in this blog (and as noted by Dominic Jones) – I don’t see how not informing boards of the breach can be justified, particularly given the seriousness of the breach. Carr notes in his blog: “The nth level effects of this breach could dwarf anything that we’ve seen to date.”

Of course, I still can’t wrap my head around how it took Directors Desk so long to discover the breach if enhanced security is what sold the product – it’s reported that the breach existed for over a year until it was discovered. Carr’s analysis of Directors Desk’s security measures is that it is no match for a serious hacker. Before passing judgment on the entire board portal industry, I’ll await his analysis of the security measures that other board portal providers utilize, but frankly I’m scared to hear that analysis…

SEC Speaks About a Lack of Funding

During last week’s annual PLI “SEC Speaks” Conference, many SEC officials talked about the agency’s limited funding and how hard it will be to implement Dodd-Frank timely on such a shoestring budget. For example, here is Chair Shapiro’s opening remarks, which she closed by talking about the strain of operating under the existing budget with expanded Dodd-Frank responsibilities. Later in the day, Corp Fin Director Meredith Cross mentioned that she can’t fully staff her newly created offices because of funding woes.

PLI has posted notes for each the panels devoted to the SEC’s Divisions (but not the workshop sessions), including:

SEC Commissioner Casey raised a few eyebrows during her speech when she challenged the Enforcement Division’s ability to apply new Dodd-Frank provisions to conduct that pre-dated the enactment of the Act based on anti-retroactivity principles.